⭐
Deployment Guide
Deploying the self-hosted SIWE OIDC Provider

Build & Deploy

Deploying to a Cloudflare Worker

First, ensure wrangler is installed and ready to interact with Cloudflare Worker API. You will need a Cloudflare account. Clone the project repository, and setup your Cloudflare Worker project after authenticating with Wrangler.
git clone https://github.com/spruceid/siwe-oidc
cd siwe-oidc
wrangler login
wrangler whoami # account_id
wrangler kv:namespace create SIWE_OIDC # kv_namespaces entry
Use the example Wrangler configuration file as a starting template:
cp wrangler_example.toml wrangler.toml
Populate the following fields for the Cloudflare Worker:
  • account_id: the Cloudflare account ID;
  • zone_id: (Optional) DNS zone ID; and
  • kv_namespaces: an array of KV namespaces
Create and publish the worker:
wrangler publish
The IdP currently only supports having the frontend under the same subdomain as the API. Here is the configuration for Cloudflare Pages:
  • Build command: cd js/ui && npm install && npm run build;
  • Build output directory: /static; and
  • Root directory: /. And you will need to add some rules to do the routing between the Page and the Worker. Here are the rules for the Worker (the Page being used as the fallback on the subdomain):
siweoidc.example.com/s*
siweoidc.example.com/u*
siweoidc.example.com/r*
siweoidc.example.com/a*
siweoidc.example.com/t*
siweoidc.example.com/j*
siweoidc.example.com/.w*

Stand-Alone Binary

Dependencies
Redis, or a Redis compatible database (e.g. MemoryDB in AWS), is required.
Starting the IdP
The Docker image is available at ghcr.io/spruceid/siwe_oidc:0.1.0. Here is an example usage:
docker run -p 8000:8000 -e SIWEOIDC_ADDRESS="0.0.0.0" -e SIWEOIDC_REDIS_URL="redis://redis" ghcr.io/spruceid/siwe_oidc:latest
It can be configured either with the siwe-oidc.toml configuration file, or through environment variables:
  • SIWEOIDC_ADDRESS is the IP address to bind to.
  • SIWEOIDC_REDIS_URL is the URL to the Redis instance.
  • SIWEOIDC_BASE_URL is the URL you want to advertise in the OIDC configuration (e.g. https://oidc.example.com).
  • SIWEOIDC_RSA_PEM is the signing key, in PEM format. One will be generated if none is provided.

OIDC Functionalities

The current flow is very basic -- after the user is authenticated you will receive an Ethereum address as the subject (sub field).
For the core OIDC information, it is available under /.well-known/openid-configuration.
OIDC Conformance Suite:
  • 🟨 (25/29, and 10 skipped) basic (email scope skipped, profile scope partially supported, ACR, prompt=none and request URIs yet to be supported);
  • 🟩 config;
  • 🟧 dynamic code.

Development

Cloudflare Worker

wrangler dev
At the moment it's not possible to use it end-to-end with the frontend as they need to share the same host (i.e. port), unless using a local load-balancer.

Stand Alone Binary

A Docker Compose is available to test the IdP locally with Keycloak.
  • You will first need to run:
docker-compose up -d
  • And then edit your /etc/hosts to have siwe-oidc point to 127.0.0.1. This is so both your browser, and Keycloak, can access the IdP.
  • In Keycloak, you will need to create a new IdP. You can use http://siwe-oidc:8000/.well-known/openid-configuration to fill the settings automatically. As for the client ID/secret, you can use sdf/sdf.
Copy link
Outline
Build & Deploy
Deploying to a Cloudflare Worker
Stand-Alone Binary
Development